Abstract
The modern security landscape for distributed computing in High Energy Physics (HEP) includes a wide range of threats employing different attack vectors. The nature of these threats is such that the most effective method for dealing with them is to work collaboratively, both within the HEP community and with partners further afield - these can, and should, include institutional and campus security teams. In parallel with this work, an appropriate technology stack is essential, incorporating current work on Big Data analytics. The work of the Worldwide LHC Computing Grid (WLCG) Security Operations Center (SOC) Working Group (WG) [1] is to pursue these goals to form a reference design (or guidelines) for WLCG sites of different types. The strategy of the group is to identify necessary components - starting with threat intelligence (MISP [2]) and network intrusion detection (Bro [3]), building a working model over time. We present on the progress of the working group thus far, in particular on the programme of workshops now underway. These workshops give an opportunity to engage with sites to allow the development of advice and procedures for deployment, as well as facilitating wider discussions on how to best work with trust groups at different levels. These trust groups vary in scope but can include institutes, National Grid Infrastructures and the WLCG as a whole.
Highlights
The threat landscape faced by High Energy Physics (HEP) computing sites includes attack vectors from a wide range of sources
The growing use of virtualisation technologies in HEP computing sites means that the visibility into individual job payloads and processes can be considerably reduced over that found in “traditional” grid sites using worker nodes deployed on bare metal
Different policies can be implemented as Bro scripts for detecting trusted bulk data transfers, triggering a StackStorm action to deploy an Access Control List (ACL) for preventing further data packets for being forwarded, while allowing the TCP control flags that are used to signal the end of the connection
Summary
The threat landscape faced by HEP computing sites includes attack vectors from a wide range of sources These vectors, which can include ransomware and phishing campaigns, have the potential of affecting many sites and communities within a short time; as a result, the most effective way of dealing with these threats is via collaboration and the sharing of threat intelligence. That implies monitoring the state of individual clusters using modern analytics techniques, while being mindful of recent increases in the use of virtualisation and containers for the development of HEP computing site structure This collection of tools for monitoring the state of a cluster, sharing threat intelligence and performing analysis is known as a Security Operations Centre
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
